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<?xm! versfon="1.0" ?> 

<AgentProtocol xm I ns=" http://www.nai- com" 
xmlns:xs!="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation= w http://www.nai.com Custom ActionsProtocol.xsd n > 

- <ControlData> 

<Versfon>Ox01000001</Version> 
<MinVersion>Ox01000001</MinVersion> 
< Co m m a n d > Req u estC u s t o m Act i o n </Co m m a n d > 
<Server>nedlwnts2ke</Server> 
</ControlData> 

- <CustomActions 

id= H <AGENT_INSTALLED_DIR>\\CustomActionsLibrary\\CustActl.dll"> 

- <Method id="GetRegStringVa!ue"> 

<Parameter jd="Key" type="xs:string" 

ino ut= "in " > < AGENT_INSTALLED_REGKEY> </Pa ra meter> 
<Parameter id= n Valuename" type="xs:string" 

inout="in">AgentVersion</Parameter> 
<Parameter id="ResuIt" type="xs:string" inout="out" /> 
</Method> 
</ CustomActions> 

- <CustomActions id="{06E0062A-5069-4793-ACED-F80BElBBC4AF}"> 

- <Interface !d="{C9ElCC03-8007-412A-8F5D-532C57DF4482} H > 

- <Method id="ExecuteSi!entInstallation"> 

<Parameter id= M ProductNarne n type="xs:string" 

inout="in">TestInstaIIProduct</Parameter> 
<Parameter id="ProductVersion" type="xs: decimal" 

inout="in">0x010000Ol</Parameter> 

^Parameter id="Location n type="xs:string" 

inout="in">c: \InstaHImages</Parameter> 
<Parameter id="Result" type="xs:stnng" inout= M out" /> 
</Method> 
</Interface> 

- <Interface id= n {C9ElCC03-8007-412A-8F5D-532C57DF4482} n > 

- <Method id="GetSystemDirectory n > 

<Parameter id =" Directory" type="xs:string tt inout= n out" /> 
<Parameter id="Resu!t" type ="xs: decimal" inout= n out" /> 
</Method> 
</Interface> 
^/Custom Actions^ 

<CustomActions id= ,, {06E0062B-5069-4793-ACED-F80BElBBC4AF>"> 

- <Interface id= w {A000CC03-8007-412A-8F5D-532C57DF4482>"> 

- <Method id="TriggerEvent"> 

< Parameter id= w EventID" type="xs:decimal" 
inout="in tt >1000</Parameter> 

<Parameter id="EventDescription" type="xs:decimal" 
inout="in">The event °/oEventID°/o has been triggered by °/o 
USERNAME% on computer °/oCOMPUTERNAME°/o. The °/o 
FlLENAME°/o file is infected with %VIRUSNAME°/o. This has 
been detected by engineversion %ENGINEVERSION°/o 
datversion °/oDATVERSION%.</Parameter> 

<Parameter id="COMPUTERNAME" type="xs:string" 
inout= n in">sourcecomputer</Parameter> 

<Parameter id="USERNAME M type="xs:string H 
inout-"in">sourceuser</Parameter> 

<Parameter id="FILENAME" type="xs:string" 
inout= n in">kerneI32.dlI</Parameter> 

<Parameter id="VIRUSNAME" type="xs:string" 

CUSTOM ACTIONS PROTOCOL RESP XML 
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inout^"in">Nimbda</ParamQter> 
<Parameter id= "ENGINEVERSION" type="xs:decimal" 

[nout="in">0x04005001</Parameter> 
<Parameter id = "DATVERSION w type="xs:decimal" 

inout= ,f in">0x07003009</Parameter> 
<Parameter id="Resu!t" type="xs:string" inout= ,, out" /> 
</Method> 
</Interface> 
</CustomActions> 
</AgentProtocol> 
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<?xml version= M 1.0" ?> 
- <AgentProtocol xmlns="http://www.nai.com n 

xmins:xsl= ,T http://www.w3,org/2001/XMLSchema-instance n 
xsi:schemaLocation="http://www.nai.com CustomActionsProtocoI.xsd"> 

- < Control Data > 

<Verston>0x0100000K/Version> 
<MinVersion>0x0100000K/MinVersion> 
<Command>RspondToCustomAction</Command> 
<Server>nedlwnts2ke</Server> 
</ControlData> 

- <CustomActions 

id="<AGENT_INSTALLED_DIR>\\CustomActionsLibrary\\CustActl.dlI"> 

- <Method id="GetRegStringValue"> 

<Parameter id="ResuIt" type="xs:string rt 
inout="out">5.0.1.10</Parameter> 

</Method> 
</CustomActions> 

- <CustomActions id="{06E0062A-5069-4793-ACED-F80BElBBC4AF>"> 

- <Interface id = ,, {C9ElCC03-8007-412A-8F5D-532C57DF4482} H > 

- <Method id= M ExecuteSiIentInstaIlation"> 

<Parameter id="ResuIt" type="xs:string" inout="out"> Error: Invalid 
Image path specified. </Parameter> 
</Method> 
</Interface> 

- <Interface id="{C9ElCC03-8007-412A-8F5D-532C57DF4482>"> 

- <Method id = "GetSystemDirectory"> 

<Parameter id =" Directory" type="xs:string" 

inout="out">C:\Winnt\System32</Parameter> 
<Parameter id="Result" type="xs:decimar 
inout=="out">0</Parameter> 
</Method> 
</Interface> 
</CustomActions> 

- <CustomActions id="{06E0062B-5069-4793-ACED-F80BElBBC4AF>"> 

- <Interface id="{A000CC03-8007-412A-8F5D-532C57DF4482} w > 

- <Meth<?d jd="TriggerEvent rt > 

<Parameter id="Result" type="xs:string" fnout= "out" > Event sent to 
testco m p u te r 2 </Pa ra me ter > 
</Method> 
</Interface> 
</CustomActions> 
</AgentProtocol> 



CUSTOM ACTIONS PROTOCOL RESP XML 




Inventor: NEDBALetal 

SN 10/092,420/Sheet 13 of 25 

Atty. Dkt: 550-322 




Inventor: NEDBALetal 

SN 1 0/092, 420/Sheet 14 of 25 

Atty. Dkt.: 550-322 



14/25 



AMG 



| EXTENSION TYPE 

I 
I 

EVENTS [t^.^^y^ L EXTENSIONS[Jl- (^lf§^^ 



-=AMG 
15 I 



I 



J -WMP 



AGENT CONFIGURATION XSOL - FILE CONFIGURATION 



FIG. 13 



DAPl CONFIGURATION Q - £*»*^ Q£ BINARY PROPERTY Jj 

1..O0 

AGENT CONFIGURATION XSOL - DAPl CONFIGURATION 



FIG. 14 



Inventor: NEDBALetal 

SN 10/092,420/Sheet 15 of 25 

Atty. Dkt.: 550-322 



15/25 



<?xml version= ,r 1.0" ?> 

<AgentProtocol xmlns="http: // www.nai.com" 
xrn[ns:xsi= ,, http://www.w3.6rg/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.nai.com CustomAclionsProtocoLxsd 
http://www.nai.com AgentConfiguration.xsd "> 

- <ControIData> 

<Version>0x010O0001</Version> 
<MinVersfon>0x01000001</MinVersion> 
<Command>RequestCustomAction</Command> 
<Server>nedlwnts2ke</Server> 

</ControlData > 

- < Custom Actions id="RegistryMapping.dir> 

- <Method id= n WriteConfig"> 
- < Registry Con figuration 

id-'HKEY_LOCAL_MACHINE\SOFTWARE\McAfee ,, > 
- <Product id="AIert Manager n > 

<Version>Ox04070000</Version> 
<DispiayName>AIert Manager 4.7</DisplayName> 

- <Language id="0407 ,f > 

<Version>0x01000002</Version> 

- <Event id= M l"> 

<LONGDESCRIPT>Das ist eine Test-Nachricht von Alert 

Manager. </LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 

< Severi ty> 5 </Se verity > 
<Enab!ed>l</EnabIed> 

</Event> 
</Language> 

- <Language id="0409"> 

< Version > 0x0 100000 2</Version> 

- <Event id="l"> 

<LONGDESCRIPT>This is an alert manager test 

messge.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Seve rity > 0 < /Severity > 
<EnabIed>l</Enabled> 
</Event> 

- < Event id="2"> 

<LONGDESCRIPT>Text of event 2.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 

< Seve rity > 1</Se verity > 
</Event> 

</Language> 
</Product> 
</RegistryConfiguration> 
</Method> 

- <Method id="ReadConfig"> 

< Reg istryConfig u ration 

id= ,, HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\*" /> 
</Method> 
</CustomActions> 

<CustomActions id="INIFileMapping.dII"> 

- <Method id="WriteConfig"> 

- <Fi!eConfiguration id="C:\Program Fi!es\AIert 

Manager\AMGConfig.ini"> 

- <Extensions> 
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<amg>AMGConfig</amg> 
<asf>MPEGVideo</asf> 
<wmp>MPEGVideo2</wmp> 
</Extensions> 
</FifeConfiguration> 
</Method> 

- <Method id="ReadConfig"> 

<FiIeConfiguration id="C:\Program FiIes\AIert 
Manager\AMGConfig.ini" /> 
</Method> 
</Custom Actions > 
- <CustornActions id="MAPIMapping.dH u > 

- <Method id="WriteConfig"> 

- <DAPIConfiguration id="/0=org/OU=TestSite/CN=TestContainer M > 
<BinaryProperty>0123456789ABCDEFOOOOO</BinaryProperty> 
</DAPIConflguration> 
</Method> 

- <Method id= ft ReadConfig"> 

<DAPIConfiguration id= M /0=org/OU=TestSite/CN=TestContainer" /> 
</Method> 
</CustomActions> 
</AgentProtocoI> 

AGENT CONFIG CUSTOM ACTION XML 
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<?xmi version="1.0" ?> 

- <AMGEvents xmlns="http://www.nai.com n 

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www-nai.com AMGEvents.xsd "> 
- <Product id="Alert Manager"> 

<Version>Ox04070000</Verston> 
<DispiayName> Alert Manager 4.7</DisplayName> 

- <Language id="0407"> 

<Versk>n>0x010O0002</Version> 

- <Event id="l"> 

< LONGDESCRIPT> Das ist eine Test-Nachricht von Alert 

Manager. </LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity>5</Severity> 
<Enab!ed>l</Enabled> 
</Event> 
</Language> 

- < Language id="0409 w > 

<Version>0x01O00002</Versfon> 

- <Event id="l"> 

<LONGDESCRIPT>This is an alert manager test 

messge.</LONGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 

< Se ve rity > O </Se ve ri ty > 
<Enab!ed>l</Enabled> 

</Event> 

- < Event id="2"> 

<LONGDESCRIPT>Text of event 2.</L0NGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity>l</Severity> 
</Event> 

- <Event id="3 n > 

<LONGDESCRIPT>Text of event 3.</L0NGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 

< Se ve rity > 1 </Se ve rity > 
</Event> 

- <Event id= M 4"> 

<LONGDESCRIPT>Text of event 4.</L0NGDESCRIPT> 
<SHORTDESCRIPT>Testing</SHORTDESCRIPT> 
<Severity>l</Severity> 
</Event> 
</Language> 
</Product> 
</AMGEvents> 
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<?xml version="l.Q" encoding="UTF-8" ?> 

<!-- edited with XHL Spy v4.0.1 U ( ht tp : / /www . xml spy . com) by Napa lie 
(Napalm) — > 
- <xs:schema targetNamespace="http://www.nai.com" 
xmlns="http: // www.nai.com" 

xmlns:xs="http://www.w3.org/2001/XMLSchema" 
eIementFormDefault="quaIified"> 

<xs:element name="DisplayName" type="xs:string" /> 
<xs:elernent narne="Enabled" type ="xs: boolean" /> 
- <xs:complexType name="EventType"> 
- <xs:all> 

<xs:element ref="LONGDESCRIPT" /> 
<xs:element ref = "S HORTD ESCRIPT" /> 
<xs: element ref="Severity" /> 
<xs:element ref="EnabIed" minOccurs="0" /> 
</xs:aII> 

<xs:attribute name="id" type="xs:string" use="required" /> 

y, </xs:complexType> 

0 - <xs:comp!exType name="LanguageType"> 

0 - <xs:sequence> 

€l <xs: element ref= "Version" /> 

I'll <xs:element name= "Event" type="EventType" 

J* maxOccurs="unbounded" /> 

III </xs:sequence> 

0 <xs:attribute name="id n type="xs:string" use="required" /> 

■? </xs: complexTy pe> 

P - <xs:element name="Product"> 

5; - <xs: complexTy pe> 

- <xs:sequence> 
^ 1 <xs:element ref= "Version" /> 

<xs:element ref="DisplayName" /> 



hi 



<xs:element name= "Language" type="LanguageType" 
maxOccurs="unbounded n /> 

</xs : sequence > 

<xs:attribute name="id" type="xs:string" use="required" /> 
</ xs; complexTy pe > 
</xs:element> 
- <xs:element name="AMGEvents"> 
- <xs:complexType> 
- <xs:sequence> 

<xs:element ref="Product" maxOccurs="unbounded" /> 
</xs:sequence> 
</xs:complexType> 
</xs:element> 

<xs:element name="LONGDESCRIPT" type="xs:string" /> 
<xs:element name="SHORTDESCRIPT" type="xs:string" /> 
<xs:element name="Severity" type="xs:string" /> 
<xs:element name="Version" type="xs:string" /> 
</xs: schema > 

XSD DATA 
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